Germany - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
Germany was the first EU Member State to adopt a national law implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in the form of the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) ('BDSG'), which entered into force on 25 May 2018 and which also implements the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and amends a number or other federal laws all listed in the BDSG.
On 27 June 2019, the German Parliament adopted the Second Act Adapting Data Protection Law to Regulation (EU) 2016/679 and Implementing Directive (EU) 2016/680 (only available in German here) ('the Second Data Protection Adaptation Act'). The Second Data Protection Adaptation Act further amends the BDSG and also amends 154 other federal laws (all listed in the Second Data Protection Adaptation Act) to reconcile them with the GDPR.
The Second Data Protection Adaptation Act introduced the following substantial amendments to the BDSG:
Data protection officers
Under the BDSG, private bodies that permanently employ at least ten persons dealing with the automated processing of personal data are required to appoint a data protection officer. The Second Data Protection Adaptation Act changed the number to 20 such employees in order to ease the burden for small businesses.
New Section 86
Section 86 provides that public and private bodies may process personal (including sensitive) data for purposes of national awards and honours without informing the data subject.
Processing special categories of data in the public interest
Section 22 of the BDSG had been changed to allow the processing of special categories of data through private bodies for reasons of significant public interest. According to the legislative documents, this change is intended to assist with deradicalisation programmes and to enable the passing on of data from private bodies to public security agencies in these circumstances.
With regard to the changes made to 154 other federal laws, these reportedly focus on adapting the laws to the GDPR terminology, legal bases for processing and data subject rights.
The BDSG applies to both private and public bodies of the Federation (and in very limited instances public bodies of the Länder). In the BDSG, the German legislator made ample use of several of the GDPR's opening clauses and maintains existing concepts from the previous Federal German data protection law as much as possible. Critics are alleging that some of the GDPR derogations codified in the BDSG go beyond what is permitted. It remains to be seen how these provisions will be interpreted and enforced in practice and whether they will be subjected to judicial challenge. The Second Data Protection Adaptation Act did not reverse any of the controversial derogations.
Each of the 16 Länder have also adopted a new state data protection law in light of the GDPR and are amending a variety of sector-specific data protection obligations in other state laws such as hospital laws. As the new state data protection laws only apply to public bodies of the Länder, our subsequent discussion focuses on the BDSG.
The Data Protection Conference ('DSK'), a Working Group representing the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') and the various supervisory authorities of the Länder and promoting a consistent application of data protection law across Germany, has issued the following GDPR guidance notes so far (only available in German here). These provide helpful practical guidance on:
- records of processing activities;
- sanctions and powers of supervisory authorities;
- data processing for advertising purposes;
- data transfers to third countries;
- data protection impact assessments;
- right of access;
- territorial scope;
- GDPR compliance measures;
- information obligations;
- right to be forgotten;
- data protection officers ('DPOs') at controllers and processors;
- data processors;
- data protection in the employment context;
- video surveillance;
- joint controllers;
- special categories of data;
- risks for the rights and freedoms of natural persons;
- processing on the instructions of the controller; and
The DSK has also issued a paper in April 2018 (only available in German here) stating its position that the data protection provisions embedded in the existing Telemedia Act 2007 ('Telemedia Act') (which has not been adapted to the GDPR pending the reform of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) do no longer apply as they were overruled by the GDPR.
In addition, some supervisory authorities of the Länder have issued guidelines and templates for processing records and data processing agreements.
1.3. Case Law
By now, a number of German courts have issued decisions in relation to the GDPR. In the following, we have summarised two.
Competitors taking action for GDPR violations
A contested and so far, unresolved issue in Germany is whether GDPR violations may constitute a breach of law under Section 3(a) of the Act Against Unfair Competition ('UWG'). If so, this would open the door to competitors bringing complaints for GDPR violations. The key question is whether the provisions of the GDPR are intended to regulate market behaviour and whether their breach has the potential to noticeably harm consumers, market participants or competitors.
While the Regional Court of Würzburg concluded in September 2018 (only available in German here) that competitors may bring action for another's breach of Article 13 of the GDPR, the Regional Court of Bochum in August 2018 (only available in German here) and the Regional Court of Stuttgart in May 2019 respectively, took the opposite view and argued that Articles 77 to 84 of the GDPR are exhaustive and leave no room for complaints under the German UWG.
In October 2018, the Higher Regional Court of Hamburg ('the Court of Hamburg ') concluded (only available in German here) that Article 77 to 84 of the GDPR are not exhaustive and that certain but not all GDPR violations may constitute a breach of law under Section 3(a) of the UWG. In this case, the defendant had processed health data without consent or any other legal basis. The Court of Hamburg found that the provisions regulating the processing of health data are not intended to regulate market behaviour and therefore their breach could not be the subject of a competitor complaint. The Court of Hamburg did not shed any light on the question of which GDPR provisions would meet the criteria under section 3(a) of the UWG. This is an area to watch closely and in light of various developments in Europe and beyond, the authors expect the areas of data protection and competition law to increasingly intersect and are seen as protecting similar values.
Legitimate interests (Article 6(1)(f) of the GDPR)
The Higher Regional Court of Munich ('the Court of Munich'), on 24 October 2018, had to decide whether or not Article 6(1)(f) of the GDPR prevented the disclosure of personal data to a third party in response to the third party's request for information under the German Civil Code ('BGB').
In this case, during legal proceedings the defendant company had requested information from the claimant company in order to assess whether or not it was entitled to compensation for breach of contract (as part of a counterclaim). The request for information also covered personal data of customers of the claimant.
Article 6(1)(f) of the GDPR allows the processing if necessary, for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject which require the protection of personal data. In this instance, the Court of Munich adopted a wide interpretation of Article 6(1)(f) of the GDPR and concluded that the defendant had a legitimate interest in the customer data being disclosed to it. It referred to Recital 47 of the GDPR which lists a customer relationship as a legitimate interest and argues that this confirms that the disclosure of customer data is per se permissible. It also emphasised the fact that the right to data protection needs to be balanced against other fundamental rights such as the right to freedom of expression or professional freedom. Finally, it assessed the type of data concerned and argued that in this instance that only economic data about the contractual relationship was concerned rather than sensitive data. Therefore, the customers' interests in safeguarding their personal data did not override the defendant's interest in the disclosure.
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
Germany has both a federal data protection authority as well as 16 state data protection authorities, all of which are being maintained under the GDPR.
The federal regulator for data protection remains the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') in Bonn, under Section 8 of the BDSG. The BfDI is competent to supervise the public bodies of the Federation and will represent Germany in the European Data Protection Board ('EDPB') as the joint representative and single point of contact.
In addition, each of the German Länder will continue to have a regulatory authority responsible for monitoring the application of data protection legislation by private bodies in its territory (Section 40 of the BDSG). From the perspective of private bodies, the 'main regulator' is the competent state authority that will be competent to monitor and enforce compliance with the GDPR.
Similarly to the GDPR, the BDSG prescribes cooperation mechanisms for the various regulators in order to ensure a consistent application of the GDPR. It also mirrors the GDPR provisions for establishing a lead supervisory authority within Germany providing that the Land in which the controller or processor has its main or single establishment is the lead supervisory authority (Section 19 of the BDSG). The main establishment is to be determined in accordance with Article 4(16) of the GDPR, which designates as main establishment the place of central administration, unless the decisions on the purposes or means of processing are taken in another establishment which also has the power to implement such decisions, in which case that establishment is the main establishment. These provisions turn out be rather complex to apply in practice.
2.2. Main powers, duties and responsibilities
The BfDI is competent to supervise the public bodies of the Federation (Section 9 of the BDGS). Section 16 of the BDSG provides that the BfDI has the powers referred to in Article 58 of the GDPR.
Section 14 of the BDSG lists a long list of tasks of the BfDI and clarifies that these are in addition to the tasks contained in the GDPR. The tasks listed largely repeat Article 57 of the GDPR and include the following (amongst others):
- monitor and enforce the application of the BDSG and other data protection legislation;
- promote awareness in relation to data processing;
- handle complaints;
- cooperate with other supervisory authorities; and
- conduct investigations on the application of the BDSG and other data protection legislation.
The BfDI must also produce an annual activity report including a list of the types of violations reported and measures taken (Section 15 of the BDSG). This report will be made publicly available and provide an important window into enforcement priorities.
Importantly, supervision of GDPR compliance of private bodies falls onto the supervisory authorities of the Länder (Section 40 of the BDSG). If any such supervisory authority determines that data protection legislation has been violated, it has the power to inform data subjects concerned, report violations to other responsible bodies for prosecution or punishment and notify serious violations to the trade supervisory authority to take measures under trade and industry law.
3.1. National requirements
No notification or registration requirements vis-à-vis the data protection authorities apply in Germany. Notification obligations vis-à-vis data subjects are covered below under section 4.
4. DATA SUBJECT RIGHTS
Germany has restricted data subjects' rights granted under the GDPR by making use of relevant opening clauses. Some of these derogations are controversial.
Sections 32 and 33 of the BDSG list circumstances in which information must not be provided to data subjects as envisaged by Articles 13 and 14 of the GDPR respectively. These circumstances are very specific and narrow.
Firstly, in relation to Article 13 of the GDPR, such limitations only relate to instances where the controller intends to process the data for a purpose other than the original purpose for which the data was collected:
- the data concerned is stored in analogue form, the controller directly contacts the data subject through the further processing, the original and further purposes are compatible, the communication with the data subject does not take place in digital form and the interest of the data subject in receiving the information can be regarded as minimal; or
- providing the information would endanger public security or interfere with the establishment, exercise or defence of legal claims, and the controller's interests in not providing the information outweigh the interests of the data subject.
Originally, further restrictions of the right to be provided with information were envisaged but these were withdrawn in light of strong criticism. If one wants to rely on these derogations, a close reading of the complex Sections 32 and 33 of the BDSG is required. In addition, we recommend caution when relying on any of the GDPR derogations included in the BDSG as the German data protection authorities do not seem to take their validity for granted. For example, in their guidance on video surveillance, they openly state that whether and to what extent the new provisions for video surveillance in Section 4 of the BDSG apply or are overruled by the GDPR needs to be considered on a case-by-case basis.
The obligation to provide information to data subjects where data have not been obtained directly from the data subject also does not apply to the extent meeting this obligation would disclose information which by its nature must be kept secret, in particular because of overriding legitimate interests of a third party (Section 29(1) 1st sentence of the BDSG).
Section 35(1) of the BDSG provides that data subjects do not have a right to erasure in case of non-automated processing if the erasure would be impossible or involve a disproportionate effort due to the mode of storage, provided the data subject's interest in erasure may be regarded as minimal and the data was processed lawfully. Restriction of processing will then apply instead of a right to erasure. These restrictions have been heavily criticised during the legislative process by the European Commission but nonetheless found their way into the BDSG. It remains to be seen whether these will come under judicial challenge. That said, these restrictions are extremely narrow and unlikely to apply in practice given they only apply in the rare case of non-automated processing. In addition, it is questionable whether these restrictions even constitute a derogation from the GDPR as the GDPR applies to non-automated processing only to the extent the relevant personal data forms part, or is intended to form part, of a filing system. So, the relevant German provisions can only be classified a GDPR derogation to the extent the relevant non-automated processing falls within the material scope of the GDPR.
Section 27(2) of the BDSG limits data subjects' right to restriction of processing under Article 18 of the GDPR to the extent that these rights are likely to render impossible or seriously impair the achievement of research or statistical purposes and such limits are necessary for the fulfilment of the research and statistical purposes.
Section 28(4) of the BDSG provides that in the case of data processing for archiving purposes in the public interest the right to restriction of processing does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfil those purposes.
The BDSG does not contain any other variations of the right to restriction of processing as granted under the GDPR.
According to Section 28(4) of the BDSG in the case of data processing for archiving purposes in the public interest the right to data portability granted pursuant to Article 20 GDPR does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfil those purposes.
The BDSG does not contain any other variations of the right to data portability as granted under the GDPR.
According to Section 37 of the BDSG, the right not to be subject to a decision based solely on automated processing granted to data subjects under the GDPR shall not apply (in addition to the exceptions included in the GDPR itself) if the decision is made in the context of providing services under an insurance contract and either of the following applies:
- any requests for performance of the data subject were fulfilled; or
- in the event that the data subject's request for performance is not granted in full, the decision is based on the application of binding rules of remuneration for therapeutic treatment and the controller takes suitable measures to safeguard the data subject's legitimate interests, such as granting the right to obtain human intervention on the part of the controller, to express his/ her point of view and to contest the decision.
Section 35(2) of the BDSG clarifies that decisions based solely on automated processing may be based on the processing of health data.
5.1. National regulation of the processing of children's data and age of consent
The age of consent in Germany is 16 as the German legislator has not made use of its right to provide for a lower age of consent in relation to information society services as permitted under Article 8 of the GDPR.
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
The BDSG does not contain rules for the processing of criminal conviction data.
The BDSG contains a number of derogations from the general prohibition on processing of special categories of data codified in Article 9 of the GDPR. These can be categorised into (1) general derogations, and (2) specific derogations relating to processing for scientific or historical research purposes, statistical purposes, archiving purposes in the public interest and employment purposes.
Section 22 of the BDSG provides by way of general derogation that processing of special categories of personal data is permitted by public and private bodies if:
- processing is necessary to exercise the right derived from the right of social security and social protection and to meet related obligations;
- processing is necessary for the purposes of preventive medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to the data subject's contract with a health professional and if these data are processed by health professionals or other persons subject to the obligation of professional secrecy or under their supervision;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
- processing is necessary for reasons of substantial public interest and the interests of the controller in the data processing outweigh the interests of the data subject (this derogation was added in June 2019 through the Second Data Protection Adaptation Act and previously only applied to processing by public bodies).
The prohibition on processing special categories of personal data is further lifted for public bodies in a number of instances such as where processing is urgently necessary to prevent substantial harm to the common good provided the interests of the controller outweigh the interests of the data subject (Section 22(1), lit.2 of the BDSG). This list should be consulted when intending to rely on the above derogations.
However, private or public bodies that wish to rely on any of the above derogations, must take appropriate and specific measures to safeguard the interests of the data subject. Section 22(2) of the BDSG provides a detailed list of measures that may be appropriate such as implementing technical organisational measures to ensure compliant processing, designating a DPO, restricting access to personal data, pseudonymising or encrypting data, etc.
Section 27 of the BDSG provides by way of specific derogation from Article 9 of the GDPR that processing of special categories of personal data is permitted without consent for scientific or historical research purposes or statistical purposes if such processing is necessary for these purposes and the interests of the controller in processing substantially outweigh those of the data subject in not processing the data. However, the following stringent conditions apply:
- the controller must take appropriate and specific measures to safeguard the interests of the data subject listed in Section 22(2) of the BDSG, such as pseudonymisation or encryption of data, restricting access to data or designating a DPO;
- the sensitive data shall be rendered anonymous as soon as the research or statistical purposes allow, unless this conflicts with legitimate interests of the data subject; until data is anonymised, the characteristics enabling information concerning personal or material circumstances to be attributed to an identified or identifiable individual must be stored separately and may be combined with the information only to the extent required by the research or statistical purposes; and
- the controller may publish personal data only with the data subject's consent or if doing so is indispensable for the presentation of research findings on contemporary events.
Also by way of specific derogation from Article 9 of the GDPR, processing of special categories of personal data is permitted if necessary for archiving purposes in the public interest (Section 28 of the BDSG) on the condition that the controller takes appropriate and specific measures to safeguard the interests of the data subject listed in Section 22(2), such as pseudonymisation or encryption of data, restricting access to data and designating a DPO.
Finally, Section 26(3) of the BDSG provides that the processing of special categories of personal data for employment-related purposes shall be permitted if necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in the data not being processed.
7.1. Additional/varied requirements on DPO appointment, role and tasks
For private bodies, Germany largely retains its pre-GDPR rules regarding the duty to appoint a DPO. In addition to the GDPR requirements, processors and controllers are required to designate a DPO if any of the following applies:
- they permanently employ at least 20 persons dealing with the automated processing of personal data (changed from ten to 20 persons by the Second Data Protection Adaptation Act);
- they undertake processing subject to a Data Protection Impact Assessment ('DPIA'); or
- they commercially process personal data for the purpose of transfer or anonymised transfer or for purposes of market or opinion research.
In practice, most businesses (except small businesses) operating in Germany will be required to appoint a DPO despite the recent change amending the threshold from ten to 20 employees.
The BDSG does not vary the role and tasks of DPOs for private bodies, except that it provides that mandatorily appointed DPOs will be subject to special dismissal protections. The BDSG is more prescriptive when it comes to DPOs of public bodies in that it clarifies their position and lists their tasks in addition to those under the GDPR.
8.1. Variation/exemptions on breach notification obligation
Section 29(1) of the BDSG provides that, in addition to the exceptions listed under Article 34(3) of the GDPR, the obligation to inform data subjects of a personal data breach shall not apply to the extent meeting this information obligation would disclose information which by law or its nature must be kept secret, in particular, because of overriding legitimate interests of a third party. However, by way of exception, the data subject must nonetheless be informed if his/her interests outweigh the interest in secrecy, in particular taking into account the threat of damage.
Importantly, Section 43(4) of the BDSG provides that breach notifications to a regulator or affected data subjects may not be used in proceedings pursuant to the Act on Regulatory Offences 1987 against the person required to provide such notification unless the person has consented. The German legislator is relying on Article 83(8) of the BDSG in order to justify this provision. No other Member State has taken a similar position.
8.2. Sectoral obligations
Other laws, such as the Telemedia Act and the Telecommunications Act 2004, still contain sectoral data breach notification requirements the validity of which is questionable in light of the GDPR.
9.1. National activities subject to prior consultation/authorisation
In August 2018, the German supervisory authorities have agreed and issued a uniform non-exhaustive 'DPIA blacklist' for the private sector as required under Article 35(4) of the GDPR (only available in German here). This blacklist lists 17 types of data processing operations which require a DPIA. By way of example, these include:
- large-scale processing of location data (e.g., for car sharing or mobility services or for tracking purchasing behaviour);
- matching or combining data sets on a large scale, for use in relation to algorithms, for secondary purposes, or for decision making solely based on automated processing;
- processing personal data for purposes of profiling; and
- large-scale processing of personal employee data with potentially significant effects on employees.
The blacklist provides very practical and detailed examples of data processing activities that are likely to be subject to the DPIA requirement. It is highly recommended that organisations consult the blacklist for guidance.
Finally, the DSK has issued practical guidance on how to carry out a DPIA (only available in German here). However, on the question of whether a DPIA needs to be carried out, the DSK guidance refers to the above mentioned blacklist.
9.2. National activities not subject to prior consultation/authorisation
None of the German supervisory authorities have issued any 'whitelists' under Article 35(4) of the GDPR to date.
10.1. National implementation of Article 89 of the GDPR
Sections 27 and 28 in conjunction with Section 22(2) of the BDSG codify the German implementation of Article 89 of the GDPR, which provides that processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes must be subject to appropriate safeguards for the rights and freedoms of individuals. It also provides that where personal data are processed for these purposes, certain rights of data subjects may be limited subject to suitable safeguards in place.
Section 22(2) of the BDSG lists the safeguards mandated by Article 89(1) of the GDPR to protect the rights and freedoms of the data subjects.
The German legislator has made use of the room for derogations provided by Article 89(2) and (3) of the GDPR as follows.
Section 27(2) of the BDSG provides that in cases of data processing for purposes of scientific or historical research or for statistical purposes, the following rights of data subjects be limited to the extent that these rights are likely to render impossible or seriously impair the achievement of the research or statistical purposes and such limits are necessary for the fulfilment of the research or statistical purposes:
- right of access (Article 15 of the GDPR ), refer to section 12.4 below;
- right to rectification (Article 16 of the GDPR ), refer to section 12.6 below;
- right to restriction of processing (Article 18 of the GDPR ), refer to section 4.3 above; and
- right to object (Article 21 of the GDPR ), refer to section 12.5 below.
Similarly, Section 28(2) to (4) of the GDPR provides that in cases of data processing for archiving purposes in the public interest, the following rights of data subjects shall not apply in certain circumstances:
- right of access (Article 15 of the GDPR ), refer to section 12.4 below;
- right to rectification (Article 16 of the GDPR ), refer to section 12.6 below;
- right to restriction of processing (Article 18 of the GDPR ), refer to section 4.3 above;
- right to data portability (Article 20 of the GDPR ), refer to section 4.4 above; and
- right to object (Article 21 of the GDPR ), refer to section 12.5 below.
As a general rule, the sanctions provided under the GDPR will apply. The BDSG provides for special rules in the following two cases.
Firstly, Section 30 of the BDSG imposes special information and notification requirements upon bodies that process personal data for purposes of granting consumer loans and undertaking related evaluations of creditworthiness. Section 43 of the BDSG provides that violations of these requirements may be punished by a fine of up to €50,000.
Secondly, Section 42 of the BDSG provides that:
- transferring data to a third party or otherwise making it accessible for commercial purposes may be punished with up to three years imprisonment or a fine if done deliberately and without authorisation with regard to the personal data of a large number of people; and
- processing data that is not publicly available without authorisation or fraudulently acquiring such data in return for a payment or with the intention of enriching oneself or someone else or harming someone may be punished with imprisonment of up to two years or a fine.
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
12.1. Data protection in the employment context
Article 88 of the GDPR allows Member States to provide for more specific rules to ensure the protection of rights and freedoms in respect of the processing of employees' personal data in the employment context. Germany largely retains its pre-GDPR rules for data processing for employment-related purposes.
Essentially, Section 26 of the BDSG provides that:
- personal data of employees may be processed for employment-related purposes as necessary for starting, carrying out or terminating an employment relationship or to exercise or satisfy rights and obligations of employees' representation laid down by law or by collective agreements or other agreements between the employer and staff council;
- processing of special categories of personal data is permitted if necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in the data not being processed;
- processing of personal data, including special categories of data, for employment-related purposes is permitted on the basis of collective agreements; and
- in order to detect crimes, employees' personal data may only be processed if there is a documented reason to believe the data subject has committed a crime while employed, the processing is necessary to investigate the crime and not outweighed by the data subject's legitimate interest in not processing the data, and the type and extent are not disproportionate to the reason.
The BDSG further clarifies that in determining whether an employee's consent to data processing is freely given, an employee's level of independence in the employment relationship and the circumstances under which consent is given play a crucial role. Consent may be freely given if it is associated with a legal or economic advantage of the employee or if the employee and employer are pursuing the same interests. Consent shall generally be given in writing and the employer shall inform the employee in writing of the purpose of the data processing and the employee's right to withdraw consent.
Employees are defined broadly and also include persons who apply for employment or whose employment has been terminated.
12.2. Video surveillance
Section 4 of the BDSG contains specific rules relating to video surveillance of publicly accessible areas. It provides that such video surveillance is only permissible to the extent it is necessary for one of the following:
- for public bodies to perform their tasks;
- for determining whether access shall be allowed or denied; or
- to safeguard legitimate interests for specifically defined purposes.
In addition, there must be no indication of legitimate overriding interests of the data subjects.
Appropriate measures must be taken to ensure the surveillance itself and the controller's name and contact details are identifiable as early as possible. Storing or using the data collected is permitted only if necessary to achieve the intended purpose and there is no indication of overriding legitimate interests of data subjects. The data must be deleted without delay if no longer needed or if contrary to data subjects' legitimate interests. Further processing of the data collected is only permissible as necessary to prevent threats to state and public security and to prosecute crimes. Information obligations apply if data collected from video surveillance is attributed to a particular person.
However, the German Federal Administrative Court ('Administrative Court') ruled in March 2019 that video surveillance by private sector organisations is solely subject to Article 6 of the GDPR while the more lenient Section 4 of the BDSG is no longer applicable as it is incompatible with the GDPR. Section 4 BDSG was originally introduced in response to terrorist attacks and rampages in order to allow more privately operated video surveillance cameras in public spaces. But the provision has been controversial since its inception and criticised by various German data protection authorities as leading to excessive surveillance. In their guidance on video surveillance, the German data protection authorities had also stated that whether and to what extent the new provisions for video surveillance in Section 4 of the BDSG apply or are overruled by the GDPR needs to be considered on a case-by-case basis. The Administrative Court has now clarified that video surveillance by private sector organisations must comply with Article 6(1)(f) of the GDPR (only available in German here).
12.3. Scoring and credit reports
Using a probability value for credit scoring or reporting purposes is subject to the following strict conditions listed in Section 31 of the BDSG:
- data protection law is complied with;
- the data used to calculate the probability value are demonstrably essential for calculating the probability of the action on the basis of a scientifically recognised mathematic-statistical procedure;
- other data in addition to address data are used to calculate the probability value; and
- if address data are used, data subjects are notified in advance of such use.
12.4. Variations of GDPR on right of access
The BDSG restricts data subjects' right of access as granted under Article 15 of the GDPR in various instances as follows.
12.4.1. General restriction
Section 34 (1) of the BDSG provides that the right of access shall not apply:
- if the data were recorded only because they may not be erased due to legal or statutory retention provisions or only serve the purpose of monitoring data protection or safeguarding data, and in each case providing information would require a disproportionate effort and appropriate technical and organisational measures make processing for other purposes impossible; or
- if the controller is exempt from its information obligations pursuant to Section 33 of the BDSG where personal data collected have not been obtained directly from the data subject.
In either case, the controller must document the reasons for refusal to provide information and inform the data subject of those reasons unless the latter would undermine the intended purpose of refusing to provide the information.
12.4.2. Restrictions in the case of secrecy obligations
The right of access does not apply to the extent providing access would disclose information which by law or its nature must be kept secret, in particular, because of overriding legitimate interests of a third party (Section 29(1) of the BDSG).
12.4.3. Restrictions in the case of data processing for research and statistical purposes
Section 27(2) of the BDSG further limits the right of access in relation to data processing for research and statistical purposes as follows:
- the right of access is limited to the extent that it is likely to render impossible or seriously impair the achievement of research or statistical purposes and such limits are necessary for the fulfilment of the research and statistical purposes (Section 27(2)); and
- the right of access does not apply if the data are necessary for purposes of scientific research and the provision of information would involve disproportionate effort (Section 27(2) of the BDSG).
12.4.4. Restrictions in case of data processing for archiving purposes in the public interest
According to Section 28(2) of the BDSG, the right of access does not apply in case of data processing for archiving purposes in the public interest if the archival material is not identified with the person's name or the data subject does not provide any information which would enable the archival material to be found with reasonable administrative effort.
12.5. Variations of GDPR on right to object
The BDSG limits data subjects' right to object according to Article 21 of the GDPR in the following ways:
- Section 28(4) of the BDSG provides that in the case of data processing for archiving purposes in the public interest the right to object to data processing does not apply as far as it renders impossible or seriously impairs the achievement of the archiving purposes, and the limitation is necessary to fulfil those purposes;
- in cases of data processing for purposes of scientific or historical research and for statistical purposes, the right to object is limited to the extent that it is likely to render impossible or seriously impair the achievement of research or statistical purposes and such limits are necessary for the fulfilment of the research and statistical purposes (Section 27(2) of the BDSG); and
- with regard to public bodies, the right to object does not apply if the processing is required by law or if there is an urgent public interest in the processing which outweighs the interests of the data subject.
12.6. Variations of GDPR on right to rectification
The right to rectification does not apply if personal data is processed for archiving purposes in the public interest (Section 28(3) of the BDSG). In the event that a data subject disputes the accuracy of personal data, he or she must be given the opportunity to present his/ her version which must be added to the files by the responsible archive.
12.7. Processing and freedom of expression and information
Despite the fact that the BDSG does not contain any derogations from the GDPR in order to reconcile the right to data protection with the right to freedom of expression and information as permitted by Article 85 of the GDPR, Germany still provides for special rules for the processing of personal data by the media. These are contained in the data protection laws of the Länder.